The National Institute of Standards and Technology (NIST) is investigating a set of serious security vulnerabilities in supposedly secure USB flash drives revealed by a German security firm last week.

The flaws -- which affects drives sold by several manufacturers, including Kingston, SanDisk and Verbatim -- could allow an attacker to read the data on a drive encrypted with the government-recommended 256-bit Advanced Encryption Standard. However, the flaws are not in the encryption modules validated by the U.S. government, but in the software that authorizes decryption, according to NIST's preliminary findings.

"From our initial analysis, it appears that the software authorizing decryption, rather than the cryptographic module validated by NIST, is the source of this vulnerability," the agency said in a statement sent to SecurityFocus. "Nevertheless, we are actively investigating whether any changes in the NIST validation process should be made in light of this issue."

Last week, security firm SySS revealed analyses of both SanDisk and Kingston secure USB flash memory showing that both could be accessed by unauthorized users in physical possession of the hardware. Both flash memory sticks load a password handling program into memory. The program produces a 32-byte code for unlocking the encrypted partition on the flash memory drive. Researchers from SySS created a memory patch program that would modify the SanDisk and Kingston programs to always produce the correct unlock code.

"The software tool modifies the (unlocking) process during runtime in such a way that the aforementioned 32 bytes are always used in the further login process (sic) no matter what the user-supplied password is," the company stated in its analysis. "Therefore, the protected data storage of the USB flash drive can be accessed with an arbitrary password."

All three companies have released advisories on the security issues and patches for correcting it.